from the you're-not-helping dept

For years now, we've noted that some companies apparently think it's a good idea to punish security researchers that expose vulnerabilities in their products, even when the researchers use the proper channels to report their findings. This kind of absurdity runs hand-in-hand with international attempts to criminalize security research -- or the tools researchers use -- to do their jobs. Obviously, this kind of behavior has one tangible end result: it makes all of us less secure.

The latest chapter in this saga of myopic bumbling comes courtesy of PwC, which for whatever reason decided that the best response to a major security flaw found in one of the company's products was to to fire off a cease and desist letter aimed at the researchers. More specifically, Munich-based ESNC published a security advisory earlier this month documenting how a remotely exploitable bug in a PwC security tool could allow an attacker to gain unauthorized access to an impacted SAP system.

The advisory was quick to point out that the vulnerability could allow a hacker to manipulate accounting documents and financial results and commit fraud, if they were so inclined:

"Based on the business processes implemented on the SAP systems on which ACE is installed, this security vulnerability may allow an attacker to e.g. manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions. This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money.

The researchers say they received the cease and desist threat despite meeting with PwC in August to discuss the flaw. ESNC also gave PwC three months to fix the flaw before issuing their public advisory, in line with the firm's responsible disclosure policy. ESNC says this was the first time they'd ever sent their research and findings to PwC. It was also the first time they've ever been legally threatened for doing their job, despite the discovery of over 100 security vulnerabilities to date. Despite two cease and desist letters, ESNC released their findings anyway -- "because it is the right thing to do."

When pressed for comment, PwC read directly from the tone-deaf playbook, first pointing out that ESNC did not have a license to use this software (irrelevant), then trying to downplay the fact that the vulnerability could enable accounting and financial fraud:

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.

"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized," the spokespersons said.

This kind of behavior has always been, for lack of a more scientific term, blisteringly idiotic. But it's becoming more of a problem with the rise of the internet-of-poorly-secured things, which has amplified exponentially the number of attack vectors and product vulnerabilities in the wild. With security researchers now clearly warning us that the failure to secure these products will inevitably result in human fatalities at scale, this ongoing attempt to criminalize security research needs to be considered a criminal act in and of itself.

from the holy-crap dept

We haven't really written much about the insane Theranos scandal, though we discussed it on our podcast. The whole story is pretty crazy -- involving a heavily hyped up company that appeared to basically be flat out lying to everyone about what it could do. The company still exists, but barely. The company's founder and CEO, who was plastered across magazine covers and compared frequently to Steve Jobs, has been banned from running a lab for two years, and the company is now facing a $140 million lawsuit from its biggest partner, Walgreens, who claims that Theranos repeatedly lied to Walgreens.

All the while, Walgreens alleges that Theranos: actively misled the company; didn’t live up to the quality and regulatory promises; kept Walgreens in the dark about problems; refused to answer questions as media reports came out about those problems; accused Walgreens of leaking information to the press; and asserted that Walgreens was the one that had breached their agreement.

One thing that became clear as the whole scandal broke, was that the company continued to aggressively deny wrongdoing, even as it became more and more obvious that almost everything that Theranos was saying publicly, allowing the company to be valued around $9 billion, was completely bogus. One of the most striking stories that came out a few months ago, was a report on the almost cult-like response from Theranos after the very first of a series of articles exposing the fraud came to light. The reporter who did an amazing job in exposing Theranos was the Wall Street Journal's John Carreyrou. And according to a thorough recounting in Vanity Fair, after Carreyou's first article, rather than honestly addressing the allegations, this happened:

By the time she returned to Palo Alto, the consensus was that it was time, at last, for Holmes to address her hundreds of employees. A company-wide e-mail instructed technicians in lab coats, programmers in T-shirts and jeans, and a slew of support staff to meet in the cafeteria. There, Holmes, with Balwani at her side, began an eloquent speech in her typical baritone, explaining to her loyal colleagues that they were changing the world. As she continued, Holmes grew more impassioned. The Journal, she said, had gotten the story wrong. Carreyrou, she insisted, with a tinge of fury, was simply picking a fight. She handed the stage to Balwani, who echoed her sentiments.

After he wrapped up, the leaders of Theranos stood before their employees and surveyed the room. Then a chant erupted. “Fuck you . . .,” employees began yelling in unison, “Carreyrou.” It began to grow louder still. “Fuck you, Carreyrou!” Soon men and women in lab coats, and programmers in T-shirts and jeans, joined in. They were chanting with fervor: “Fuck you, Carreyrou!,” they cried out. “Fuck you, Carreyrou! Fuck. You. Carrey-rou!”

That same Vanity Fair article notes that the company's lawyer, David Boies, threatened employees for talking to journalists. Boies, you may recall, made a name for himself for taking on Microsoft in the 1990s, but since then has been involved in a series of... well... bad decisions. You may recall him sending out bullshit letters threatening media companies for reporting on the leaked Sony emails a couple years ago. Boies also represented Oracle against Google in the fight over copyrighting APIs, and also represented SCO, back during that company's ridiculous legal fight against IBM over Linux. In this case, Boies wasn't just a lawyer for Theranos, but on their board as well:

Meanwhile, Theranos had its lawyers send a letter to Rochelle Gibbons’s attorney, threatening legal action for talking to a reporter. “It has been the Company’s desire not to pursue legal action against Mrs. Gibbons,” a lawyer for Boies, Schiller & Flexner wrote. “Unless she immediately ceases these actions, she will leave the Company no other option but to pursue litigation to definitively put an end [to] these actions once and for all.”

It turns out that's not the only people Theranos went after. The same reporter who exposed the fraud and was the subject of those chants recently had another story detailing the ridiculous lengths that Theranos has gone to in an effort to silence one of the whistleblowers who revealed the problems at the company. The story is quite incredible (though, possibly blocked by the WSJ's paywall). The whistleblower was a guy named Tyler Schultz -- who just happened to be the grandson of well known former Reagan Secretary of State George Schultz... who also was on Theranos' board (the board was stocked with famous political people, and few with any actual experience in Theranos' field). The younger Schultz apparently had emailed Elizabeth Holmes pointing out how the company was doctoring research and received a lecture instead:

After working at Theranos Inc. for eight months, Tyler Shultz decided he had seen enough. On April 11, 2014, he emailed company founder Elizabeth Holmes to complain that Theranos had doctored research and ignored failed quality-control checks.

The reply was withering. Ms. Holmes forwarded the email to Theranos President Sunny Balwani, who belittled Mr. Shultz’s grasp of basic mathematics and his knowledge of laboratory science, and then took a swipe at his relationship with George Shultz, the former secretary of state and a Theranos director.

“The only reason I have taken so much time away from work to address this personally is because you are Mr. Shultz’s grandson,” wrote Mr. Balwani to his employee in an email, a copy of which was reviewed by The Wall Street Journal.

The rest of the story is pretty incredible. Schultz, smartly, quit that same day, and then reached out to regulators in NY to blow the whistle on misrepresentations by Theranos, helping lead to the eventual unraveling of the company. And, again, rather than deal with the actual problems, the company just targeted the younger Schultz (and, incredibly, the grandfather sided with the company).

In the past year and a half, the grandson and grandfather have rarely spoken or seen one another, communicating mainly through lawyers, says Tyler Shultz. He and his parents have spent more than $400,000 on legal fees, he says. He didn’t attend his grandfather’s 95th birthday celebration in December. Ms. Holmes did.

“Fraud is not a trade secret,” says Mr. Shultz, who hoped his grandfather would cut ties with Theranos once the company’s practices became known. “I refuse to allow bullying, intimidation and threat of legal action to take away my First Amendment right to speak out against wrongdoing.”

First of all, kudos to Tyler Schultz for standing up to this bullying. And, second, what the hell is wrong with Theranos that they seemed so focused on attacking anyone who questions them, rather than focusing on actually fixing the problem. I get that there's this view of Silicon Valley companies where there's something of a "fake it, until you make it" attitude, but there are limits.

There's much more in the WSJ story that is really quite incredible. It suggests a level of closing ranks to protect the reputation of Theranos, rather than actually dealing with the fact that their stuff didn't work the way they said it would.

After searching the Fertility Bridges web site, identifying what appeared to be an ideal donor, and receiving confirmation from Fertility Bridges that the donor had confirmed her willingness to proceed, Oliver wrote a large check to Fertility Bridges. However, as soon as the company had received Oliver’s payment, Fertility Bridges went dark concerning the donor's availability instead of moving forward with an egg donation. Then, just after Oliver’s check had cleared, Fertility Bridges admitted that the donor was unwilling to go forward with the procedure, without giving any reason, and suggested that she choose another of the company's available donors. But when Oliver asked for a refund of the entire fee that she had paid Fertility Bridges, the company temporized for a while, and then refused. In the circumstances, Oliver suspected that she had been the victim of a bait and switch.

Oliver took her complaint to the Better Business Bureau. Shortly thereafter, she received a threatening email (the first of several) from Fertility Bridges stating that the agreement it had failed to uphold on its end had been violated by Oliver's complaint.

"You directly violated our legal agreement by attempting to post an online review. As such, we are setting the plans in motion for a multi-million dollar defamation case against you. . . . unless you withdraw your unwarranted BBB complaint or any illegal online reviews, we will proceed at lightening [sic] speed in a defamation case against you to minimize as much damage as possible. We have your signed legal agreement clearly stating you will NOT post online reviews."

"M. ONLINE REVIEWS "Because of the extremely private and emotionally delicate nature of the egg donation business Recipients agree NOT to post any online reviews anywhere on the Internet without first presenting it to Fertility Bridges for legal review. . . .

"N. APPLICATION OF LAW "Recipients agree that this Agreement will be governed and interpreted by California jurisdiction. . . .

"Q. SETTLEMENT OF DISPUTES "Recipients agree to mediation to resolve any disputes. If mediation does not resolve the issues then Recipients agree to binding arbitration to settle disputes [and] in California Jurisdiction..."

Fertility Bridges' own agreement immediately undercuts its threats of a (baseless) "multi-million dollar defamation case," as it binds both parties to mediation and arbitration. The parts about California's jurisdiction undercut the rest.

[G]iven the (oddly-worded) provision subjecting the agreement to California law, even if the clause were construed as forbidding disparaging reviews without prior approval, the clause would be forbidden by the new California law that prevents companies from imposing non-disparagement clauses in consumer agreements.

The combination of legal errors might cause one to wonder what sort of lawyer helped compose the threatening emails sent to Oliver. Levy tried to speak to Fertility Bridges' legal representation on behalf of Oliver. His attempt was met by Fertility Bridges tugging at its suspenders and claiming it was just a humble, small-time fertility consulting company that didn't much care for big city lawyerin' -- despite its succession of escalating emails suggesting Oliver would be sued into the ground for attempting to badmouth the company.

In fact, for all of its assertions that any review or complaint about its services would first need to be viewed by Fertility Bridges' legal team before publication, the company appears to have no legal representation retained to handle this task. In an email conversation with Levy, the company (comically) makes it clear it would need to retain a specific type of lawyer to handle Oliver's challenge of its non-disparagement clause. [All spelling and grammatical errors in the following are quoted directly. Emphasis added.]

Thanks for your prompt response. If the Olivers feel the need to post something on the Internet, we can't stop them. As you have read we do not have a gag clause, we ask that they present to our attorney or mediator to verify the facts are truthful and void of medical privacy data so that they do not subject themselves to libel.

Do have them post away and we will hire a separate attorney who focuses specifically on false claims (not truthful ones - since those are ok to post and have always been.) As you know different attorneys specialize in different types of the law so we will hire one who specializes in this. We are not lawyers and don't intent to be. Our goal is to create a service that helps and leave the legal matters up to the experts.

We have an attorney who is responding to their NJ claim but we don't feel she has the expertise to advise on libel claim since it will be important to learn the details of libel once we head into mediation with the client.

Will you serve as their lawyer defending them against their lies they are intending to write online? Are you libel attorney?

[...]

If you feel there is anything else we need to know about this case, please pass all and we will share with our with a specialized libel attorney when we hire one. 9 days is too short a time to find and hire This special kind of attorney so we will do this after posts are made and take the right amount of time to find the right one. Once they are made, we will know how extreme the situation is, exactly the nature of their post and we will have a chance to state our response refuting their claims in the public forum they are posting on and what potential damages that might occur as a result. I am sure there is some case law that already defines what the legal remedies are for posting libelous remarks online and we will aim to find an attorney who knows.

I assume once an actual lawyer is retained by Fertility Bridges, all communication along these lines will cease. The non-disparagement clause Fertility Bridges claims isn't a non-disparagement clause is actually unenforceable in California -- the state it's chosen to handle its litigation in. And if Oliver's review actually contains defamatory statements, there are legal remedies the company can pursue that have nothing to do with its shady "run it by our [nonexistent] lawyers first" clause. As Levy points out, given the legal remedies readily available, the only reason to insert language like this into service agreements is to discourage unhappy customers from making their complaints public.

from the repeat-after-me... dept

Another day, another ridiculous legal threat. This time it's from a company called "TellSpec" against the news site Pando Daily. Last year, it appears that Pando had a couple of articles about Tellspec, a crowdfunded food scanning project that raised $386,392 on IndieGoGo. Pando was reasonably skeptical of the product, which claimed it could tell you the "allergens, chemicals, nutrients, calories and ingredients" of your food just by "scanning" the food with a handheld device. Pando called it a "giant medical scam."

Physicists weighed in that the scientific claims made by Hoffman and Watson were at best dubious and at worst a blatant scam. According to TellSpec’s Indiegogo page, their food scanner would be powered by a “Raman spectrometer,” which puts out pulses of light to measure particle density and collect a detailed fingerprint of the food which is then analyzed in order to calculate nutritional information.

Physicists called bull.Raman spectrometers are weak, big and expensive. To do this scan accurately you would need to be sending out a high density of wavelengths from the spectrometer, fueled by a high-powered source, not a tiny rechargeable battery as TellSpec claimed. It would be impossible, many people said, to miniaturize this so dramatically and to do so for a $250 price tag. That’s without taking into account that most experts suspected the technology would be useless in assessing the finer details of food texture and detecting small trace ingredients in low concentrations, like the food allergens it swore it could find.

Pando noted that after public criticism, TellSpec added a disclaimer (not originally in its pitch video) that the video was not of a real device, but was "solely for the purposes of demonstration." Since the campaign was funded, the story from TellSpec has changed over time. Here's more from that Pando article from last year:

On November 18, TellSpec posted a “Live demonstration of technology” on its YouTube page. Unlike the small, less than palm sized device promised on Indiegogo, the scanner used in the four-minute video is much larger, doesn’t operate wirelessly and has a secondary part crudely taped onto it.

Also, some video trickery:

Once again TellSpec displays its knack for misleading videos. When the camera focuses in on the phone to show off its analysis of the food being scanned, the phone’s clock is clearly on display. The first result is from 1:30 p.m., but in the next shot it’s 1:21 p.m., 1:22 p.m. and 1:23 p.m, before jumping back in time again to 1:15 p.m., 1:18 p.m. and 1:19 p.m. What we’re clearly seeing is not a live demo, but a series of cut together clips which cast doubt on whether what’s shown on screen has any connection to what was scanned by the device.

And then there's this:

Then surprise, surprise, in mid-March, TellSpec updated their Indiegogo page to say that they were ditching the technology that they claimed in the video to have spent nine months working on. The TellSpec scanner wouldn’t have a Raman spectrometer in it, but would instead feature Texas Instruments’ DLP technology, essentially a series of micro-mirrors that switch on and off at high speed.

Last year, Tellspec was victim of a persistent and consistent defamation attacks, with three articles written by James Robinson and published by Pando Daily. We have sent requests to the editor as well as the past writer to retract the defamation done both on Tellsepc [sic] and my person.

Social media and in particular RedIt [sic] has several explanations that are not very ethical for this sudden attack on Tellspec, I encourage you to read them. After several failed attempts to contact the editor I have engaged a lawyer to start an action against Pando Daily.

I understand that you are now the chairman for Pando Daily and I wonder if you are aware of this. I would appreciate a call or an email so this can be resolved amicable [sic] and without further delay. Tellspec has suffered financial losses due to these articles that claim we are a scam. Please advice [sic] if we can talk before my lawyer contacts you and the editor.

Isabel

All typos in the original. This is a joke. As Ken "Popehat" White often points out, a hallmark of censorious trademark attacks is a failure to actually show what statements the person or company believes to be defamatory. Also, generally speaking, the statute of limitations on defamation claims is one year. The article that Isabel Hoffman/TellSpec is complaining about is from April of 2014. They kinda missed their window to sue, if they truly believed it to be defamatory. Of course, there would actually need to be defamation in the original article as well. And I'll say this as someone who generally is not a fan of Pando's reporting, I can't find a single thing in the original articles that would even border on defamation.

In the Pando article about the threatened lawsuit, Pando editor Paul Carr notes that Hoffman called Pando's lawyer and is now threatening to sue the site in the UK (famous for somewhat more ridiculous defamation laws) despite the fact that Tellspec appears to be based in Canada and the US, not the UK. After a bout of "libel tourism" the UK finally updated its defamation laws a few years back to make it much harder for non-UK individuals and companies to sue there. And Pando is based in the US as well. Even assuming there was some legitimate way to get a case going in the UK, the SPEECH Act in the US would certainly protect Pando. In short, the whole threat appears to be your standard ridiculous bullying, which will only serves to draw more public scrutiny to Tellspec's silly project and the original claims it made that it has failed to live up to. Or, as Carr notes:

Hopefully it goes without saying that Tellspec is very welcome to sue us in San Francisco, London, Timbuktu or on Mars. We stand firmly behind our coverage of Tellspec and, as is our policy in these situations, will aggressively defend -- in any court that actually has lawful jurisdiction over Pando -- against any attempt to silence our reporting.

Of course, finding a lawyer actually willing to file a lawsuit in any of those places may prove to be a challenge. Someone accurately calling you out for a sketchy product with a misleading pitch is not defamation. Sending threats past most reasonable statute of limitations is not a good idea. Sending a threat to sue in a random third party country is not a good idea. And, of course, doing all of that in an attempt to stifle some bad press coverage of your sketchy product is... well... not generally a sign of good judgment.

The takedown request was preceded by an "impersonal email" from Alara Mills -- a cease and desist letter loaded with all sorts of scary claims about thousands of dollars being potentially at stake.

“You neither asked for nor received permission to use the Work… nor to make or distribute copies of it. Therefore, you have infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) therein.”

As Mike Riethmuller points out, he had never seen Alara Mills' version of this HTML5 table. His was inspired by another person's (Josh Duck) and was mainly just an exercise in CSS, rather than some sort of cottage industry designed to undercut the only thing Alara Mills offers at her website.

Here's a thumbnail version Alara Mills' HTML5 periodic table of elements, which we're posting to provide commentary on her copyright claims (since she appears to be very litigious about anyone doing anything -- we'd like to suggest she do some studying of fair use before complaining about this usage):

Because Mills is so protective of this product, there's no way to get a closer look at the arrangement of the elements to verify whether or not Riethmuller "copied" her layout.

Duck's bears more resemblance to this than her finished product, but it's still not an exact copy. Besides, it's unclear what "copyrightable elements" Duck's could have possibly copied. The periodic table itself is not (and it's certainly not the creation of Alara Mills). The HTML 5 elements are not. The color arrangement, maybe? But those are different. The HTML5 logo is not. What little that might be protectable in Mills' effort is clearly not in Duck's. It is merely the same idea -- and ideas are not copyrightable.

And the link between Duck and Mills is extremely tenuous. Here's what Mills' lawsuit presents as "evidence" that Duck infringed on her table.

Mills emailed a copy of her prospectus to Kirk Kazanjian on July 12, 2010, which contained a derivative work of the HTML Table of Elements in order to receive initial feedback from him before pursuing book publishers. Kirk Kazanjian is a literary agent/former co-worker of Mills. Mills sells quick reference guides, wall-reference posters, and table posters displaying the HTML5 Elements Table™ graphic. A true and correct copy of the graphic submitted to Kirk Kazanjian in Mills’ email is attached hereto as Exhibit D.

[...]

On information and belief, Duck has been aware of Mills’ HTML5 Elements Table™ since July 2010, when Mills emailed a copy of the graphic to Kirk Kazajian.

On information and belief, Duck had access to Mills’ HTML5 Elements Table™

No further explanation is provided. The cease-and-desist that preceded the lawsuit is similarly vague. It simply makes an accusation but never explains how her legal representation (or Mills herself) arrived at this conclusion.

Ms. Mills submitted an earlier version of her chart within a book prospectus to a publisher in July 29, 2010, a copy of which is enclosed. This is the version that was possibly leaked to you in creation of your Periodic Table.

In other words, Mills found something on the internet that resembled something she thought was an entirely original idea, and the only conclusion she could come to was that somehow Duck must have gotten ahold of her submission. There are multiple more likely explanations for this -- chief among them being that things based on the periodic table will often resemble the periodic table as well as the hierarchy of coding terms being fairly rigid. These two elements mean that any independent creation utilizing both of these will bear heavy resemblance to another.

This was settled out of court. Duck agreed to remove the non-infringing chart in return for a dismissal with prejudice. The alternative would have been an expensive trip through the judicial system. Mills seems to feel that this acquiesence gives her the right to pursue creators of similar charts -- not similar to the version she sells -- but similar to the version she still maintains Duck "stole" from her.

Alara Mills, however, would rather not talk about it. After engaging with her for a bit on Twitter, she suddenly deleted most of her tweets to me.

Fortunately, the deleted tweets have been preserved

Now, Riethmuller has never seen this "leaked" version. He's only (possibly) seen Duck's. But he's building on a lot more than Duck. He's building on the same foundation Mills did. Only he's not claiming his chart is somehow sacrosanct.

The information about each element was shamelessly stolen from the Mozilla Developer Network (MDN) and the layout is thanks to Dmitri Mendeleev. But luckily MDN and Dmitri are all about the learning and they support the community; as such I have much love for them both.

These two entities clearly inspired Mills as well, but no one went after her for utilizing the work of others. Riethmuller clearly didn't use hers as a starting point, but she thinks she can lock down an unoriginal idea and keep anyone else from expressing a combination of periodic tables and HTML5 elements that hews a bit too closely to hers. She's wrong, of course, and Riethmuller has filed a counternotice against her DMCA takedown. As of now, his table is still live at Github.

Riethmuller recognizes his work is not "original," but also that it's no "copy" of Mills' work. Unlike Mills, he wants people to build on his efforts, not consider it an endpoint that must not be remade, altered or otherwise moved forward.

I’d love to remake this using flexbox and update it with newer HTML elements and more detailed content. I’d love people to be able to fork it and learn more about creating challenging layouts with css. Or develop something new from this concept.

Riethmuller also points out how truly pointless creation would be if all creators acted like Alara Mills.

Imagine if we all received copyright challenges over something as tenuous a particular layout and subject matter. This would mean there could only be one single column web development blog (and not only that it would be a book).

Mills doesn't "own" this idea, nor does she have any right to push these creations off the internet. But that's what she's been doing. She still has yet to answer my question as to the unsubstantiated claim that Duck had access to an unreleased version and has apparently rescinded her offer to tell me her side of the story. It doesn't take much to get the ball rolling on copyright trolling. All it takes is for someone to believe that only they could have arrived at this creative destination and that all others are simply infringers.

This story, however, has somewhat of a happy ending. Mills reached out to Riethmuller late in the day (a few hours after the half-deleted Twitter conversation took place) and apologized to him and withdrew her legal threats. According to Riethmuller, she appears to finally have realized that her claims of ownership over HTML5 period tables are extremely weak and that ambushing creators who are wholly unaware of her previous iterations (not that those supposed "copies," like Duck's infringed on that design either) with cease-and-desist orders does nothing but turn people against her -- and copyright in general.

from the despite-doing-the-same-to-others... dept

Rupert Murdoch's News Corp. has a rather long and somewhat sordid history of obtaining confidential information and publishing it. But apparently when someone else does that to News Corp., the company declares war. The Australian website Crikey got its hands on some internal News Corp. documents showing how badly its Australian newspapers were performing. The financial results were disastrous. Apparently, News Corp. didn't take the story particularly well and sent in its angry lawyers:

In a letter to general counsels at Fairfax Media, Seven West Media, APN News & Media, the ABC, SBS, Nine
Entertainment Co and Ten Network Holdings, Ian Philip, chief general counsel at News Corp Australia, wrote: “It has come to the attention of News Limited that Crikey.com.au has today published documents and information which is highly confidential and commercially sensitive to News.

“In particular, Crikey has published in full News Corps' Weekly Operating Statement for a week ending 30 June
2013, as well as a number of articles referring to the contents of the Weekly Operating Statement.

“The disclosure of this document is entirely unauthorised, and News is taking the necessary and appropriate
action against Crikey (including considering all available legal avenues).

“News will also take appropriate action against any other entity or individual who publishes the Weekly
Operating Statement and/or its contents, including by referring to or summarising its contents.

Soon after this, Crikey and News Corp. "reached a legal agreement" whereby Crikey agreed to take down and "destroy" the document, but with no gag order or injunction on its reporting over what was in the document.

Of course, the really amazing part in all of this is just how hypocritical News Corp. is in trying to suppress the leak. Others have pointed out that News Corp. has a history of doing exactly the sort of thing it's now complaining about:

Media academic Associate Professor David McKnight, who has authored a book about Mr Murdoch, says News Corp is being "extraordinarily hypocritical".

"Coming from a media company that frequently publishes leaks, you really only have to imagine what News Corp would do if they had their hands on an equivalent document on Fairfax's internal operations, it would have been spread all over the front page with half a dozen gloating articles inside," he said.

"I can't imagine that News Corp would go ahead with the suggestion that there would be legal action, I mean it would just be the most extraordinary hypocrisy."

News Corp titles in the past have published the odd article based on internal Fairfax Media documents (not more than 20 or so in the last year). And nothing could be more scrupulous than their concern for the public good when The Australian published outdated salaries of senior ABC journalists.

Oh, and that same report notes that News Corp.'s own reporters, in publishing the salaries of ABC journalists, had mocked them as "overpaid." But the internal report that Crikey published showed that not only is News Corp.'s The Australian losing a ton of money, its employees are paid even more than those ABC journalists.

from the now-you-see-it dept

Let me let you in on a little fantasy of mine: every once in a while, I like to imagine finding myself meeting the person who came up with the term "global warming." Why? So I can punish that person. Severely. See, what a term like "global warming" does is allow the guy in the cubicle next to me to point out of the window in Chicago and say, "If global warming is true, why is it snowing out again?" And that, friends, is something nobody should have to deal with.

Climate change is the better term, of course, and the majority of the scientific community firmly believes that there is such a thing as man-made climate change. From there, we could have a discussion about how profound the effects of climate change are, whether they're actually better or worse, what other contributing factors might be in play in impacting climate, and all the rest, and those would be worthy conversations to have. What we shouldn't do is try to use the law to silence dissenting opinions, particularly if those opinions come in the form of scientific research. Yet, that is exactly what one scientific journal has allowed to happen after publishing an article on the link between those who deny climate change and those who believe in a more wide-ranging array of conspiracy theories. Frontiers originally published the piece last year, but took it down once the legal threats started rolling in. After an internal investigation found the peer-reviewed study to be sound, you'd have thought they'd re-publish it. You'd be wrong. Here's the statement about the retraction from the journal itself.

In the light of a small number of complaints received following publication of the original research article cited above, Frontiers carried out a detailed investigation of the academic, ethical and legal aspects of the work. This investigation did not identify any issues with the academic and ethical aspects of the study. It did, however, determine that the legal context is insufficiently clear and therefore Frontiers wishes to retract the published article. The authors understand this decision, while they stand by their article and regret the limitations on academic freedom which can be caused by legal factors.

In other words, a study that was judged by peers to be scientifically sound, has been disappeared over the murky threats of possible legal action. Let that sink in for a moment: science is undone because some people didn't like it. The author of the study resided at the time in the UK, where libel laws used to be of a construction specifically designed to fill the courthouses with all manner of craziness. Just recently, the UK has improved its libel laws to lessen the chilling effect of lawsuits from harming the progression of science. On top of that, the internal review at the journal found no issues with the study after making some minor alterations to appease the angry. Frontiers didn't see fit to re-publish, however.

It is hard to imagine a set of outcomes that would have better remedied each issue flagged by Frontiers as a matter of concern. So it came as quite a shock to hear that the journal had decided to retract the paper ostensibly because “the legal context is insufficiently clear”.

Look, if you're a climate change denier, that's cool. I don't agree with you, but feel free to write up your own research, publish any compelling information you can come up with, and all the rest. Consensus is never something I've been much interested in; I'd rather have multiple ideas to choose from and study. And, hey, if you think we never landed on the moon, Hitler was actually fighting the lizard-people now running world government, and 9/11 was all a holographic light-show designed to allow George Bush to fulfill his childhood dream of landing on an aircraft carrier in a flightsuit, have at it. I want you to let me know you believe in that stuff, because that's how I'll know to keep my future children away from you.

But the other side of the coin is that we shouldn't be allowing your side to silence science, either. Fair is fair, after all.

from the gun-to-own-head,-Kiss-Trust-warns:-'don't-laugh.-you're-next.' dept

Once again, it's time to discuss bogus C&D notices, specifically those that acknowledge Section 230 protections before blithely continuing on with the legal threats as though it has absolutely no bearing on the subject at hand.

A few weeks ago, a flurry of registered letters and FedEx packages started arriving at the Mustache residence. They were from a law firm representing a company who didn't like something that had been said by a member of the Forum section of this website.

How did they even find out about this conversation, you might ask? Through Google searches. After all these years, this website has garnered sufficient page rank that when we talk about something, it shows up high in the search engine rankings. The company was apparently Googling their own name, found something they did not agree with, and decided they wanted to silence the critics.

The first letter that arrived wasn't sent by a lawyer, but by Glenn Armand, the Chairman of Eastern Point Trust Company, which owns and operates Kiss Trust, the entity besmirched by a forum member's comment. With the introductions made, the vagaries commenced:

It has come to our attention your website's www.MrMoneyMoustache.com has a forum entry http://www.mrmoneymustache.com/forum/ask-a-mustachian/kiss-trust-12422/msg196528/#msg196528 titled "Kiss Trust" which contains numerous false and flagrantly defamatory statements regarding Kiss Trust. Additionally, these posts infringe on our trademarks and copyright in violation of the DMCA.

Note that Armand fails to point out (other than providing a link to a post that has since been locked down by the site owner) any specifics about the "numerous false and flagrantly defamatory statements." (The comment in question appears to be this one, as the wording "scam" and "marketing ploy" are mentioned directly by other, less stupidly-written, letters.)

(There's another comment mentioned directly in this letter "toxic rates" but that one isn't addressed in subsequent communication.)

Also note that the DMCA has nothing to do with trademarks and that defamatory statements rarely violate trademark and copyright law directly. This appears to be Armand throwing every IP-related term at the wall and hoping the resulting mess would scare MMM into deleting the offending post(s).

The letter then attempts to appeal to the site owner's "reasonableness" before making unreasonable requests… like preventing the posting of anything related to Kiss Trust by forum members… in perpetuity. It also cites the Lanham Act, somehow claiming that forum members' posts involve MMM in "deceptive business practices" because his site is ad-supported.

It also mentions another post where a user says Kiss Trust's fees are "positively toxic" as compared to a 529 plan for purposes of college savings, something that would certainly be a statement of opinion -- unless Armand somehow believes this person is stating that opening a Kiss Trust account would literally poison or otherwise physically debilitate the account holder. Plus, it includes a comparison, meaning that a subjective balancing act has been performed by the commenter, who found (subjectively) Kiss Trust's terms wanting.

Then Armand decides the forum posts are "articles," not comments, and claims (without providing specifics) that everything in question (which could be almost anything due to the lack of specificity) is "without a doubt" false and derogatory. He then approaches the trademark/copyright angle, re-asserting that defamation somehow infringes on both.

So, the site owner decided to take down the original thread pending legal advice, while also recognizing the threatening letter was almost completely without merit -- especially in terms of Section 230. He also started a thread to discuss the legal threats. Once that went live, the legal mail came pouring in.

The next letter came from the law offices of Mark B. Williams, and this one ignores the posts mentioned in the previous letter and focuses instead on MMM's new forum thread about Kiss Trust's legal threats. This one cites "tortious interference, trade disparagement, conversion and libel" as being the issue and, unbelievably, threatens to drag in RICO claims if the alleged behavior continues. The letter asks for the removal of the "blog" (which is a forum post) and, again, that MMM's owner prevent anyone from talking about Kiss Trust for as long as either party exists.

The final (so far...) letter -- this one from the law firm of Robinson|Robinson LLC -- is the one that mentions the applicable Section 230 protections. According to this letter, Kiss Trust has convinced its legal representative that MMM has "chosen to post and re-post" comments that are "defamatory per se," thus depriving the site of these protections. Apparently, running a forum that requires registration is no different than "intentionally encouraging illegal or actionable" (the lawyer's words) posts. That leads to this, um, interesting paragraph.

The statement that my client's business is a scam and a marketing ploy that was posted and then re-posted by by you on mrmoneymustache.com, is a clearly false statement published and circulating throughout the google search engine and has caused my client severe economic harm.

Now, while this attorney correctly cites some of Section 230's limitations (via court opinions for somewhat "relevant" cases), he decides, based solely on some magical equation, that MMM has crossed over into the realm of "information content provider," and is no longer protected. But that's a pretty significant misreading of the law. Unless MMM directly edited the comment in question to change it to something disparaging, or Section 230 still provides protection, even if MMM maintains control over what third-party posts are allowed to appear within the forums (a.k.a., moderating).

The lawyer goes on to drag RICO statutes into the mix, which is about as relevant to the allegedly defamatory comment as the chairman's earlier complaints about trademark and copyright violations. There is nothing in the RICO statutes that even remotely applies to third-party content.

Tortious interference arises out of someone preventing someone else from entering a contractual relationship, something Kiss Trust can't even claim in its most fevered dream. The post simply asked for someone's opinion on Kiss Trust and received several answers in return. One highlighted the differences between Kiss Trust's offerings and a 529, while another simply stated the trust was a "scam" and a "marketing ploy." While the second post may prove to be defamatory, the mere mentioning of a business' name by another comment doesn't signal the commenter's intent to utilize its services, making the claim of "interference" specious.

Trade disparagement is far broader, and Kiss Trust may be able to prove that simply by proving the comment was defamatory. However, this will likely result in very nominal damages being awarded unless Kiss Trust can provide evidence linking the comment's appearance to a financial downturn.

While a lot of what's being thrown at MMM is questionable, the main error is the misreading of Section 230 in an attempt to hold the site owner accountable for another person's posting. It would seem that if you're going to quote portions of the statute, you might want to read the parts that directly contradict your assertions.

The good news is that MMM has found legal representation that has already begun punching holes in Kiss Trust's misguided legal "strategy." The other good news, for MMM at least, is that news of the bogus C&D is spreading fast, speeding the "circulation" of Kiss Trust's bullying behavior "throughout the google search engine." MMM's post on the debacle keeps rising in the rankings for search term "Kiss Trust." The post also hit the Top 10 at Hacker News and Popehat twitted it to 12,000 followers. So, I would imagine Kiss Trust is now wondering why it decided to shoot itself in the reputation over something as unnoticeable as a random person's comment in a sea of forum posts.

Even if the comment proves to be defaming, what does Kiss Trust get in return? A company is free to defend its reputation, but it should, at the very least, consider whether the potential reputation damage will outweigh what it's trying to remove. Well, actually, at the very least, it should understand the laws it's attempting to use so that its efforts aren't wasted pursuing the wrong target.

from the meritless-thuggery-represent! dept

You can't satisfy every critic. Sometimes people just want to complain. But when complaints surface, the worst thing you can do is make legal threats in response. This automatically gives every complaint against the company, no matter how specious, a veneer of truth. And if the complaints are justified, the time and money being deployed to shut up critics would be better utilized fixing the problems.

But some companies never learn. Or if they do learn, it's only after they've been exposed to the glaring sunlight that is the Internet. Baybrook Remodelers of Connecticut, and its owner Ken Carney, are now in that position.

Baybrook Remodelers has been pursuing one such critic for the past two years. Kristen A., who runs a website dedicated to her legal entanglements with Baybrook Remodelers, has been dealing with the company's attempts to curb her criticism since late in 2010. As she details on her site, she first attracted the remodeler's negative attention when she posted negative reviews detailing the company's refusal to honor its contractual design work after she decided to use someone else for the actual construction.

Currently, she's being sued for these reviews, along with "some negative reviews I wrote that were removed from online sites, some negative reviews that other people wrote, and for signs posted on another person’s house."

The signs posted at "another person's house" belong to Kristen's mother, who hung two signs critical of Baybrook Remodelers on her upstairs deck after issues she had with the company. The first sign simply said she did not recommend Baybrook Remodelers. After the owner tried and failed to have her remove this sign (attempts that included approaching Kristen's supervisor and asking him to intercede on his behalf), she hung another one -- one that specifically called out the company for its tendency to file lawsuits against critics, as well as being named in several lawsuits brought by unhappy customers.

Baybrook Remodelers responded by sending this ridiculous letter purporting to be a genuine legal threat.

Not only is the letter riddled with grammatical errors (and covered with Kirsten's coffee), but the address of the unnamed attorney traces back to Mailboxes, Etc. Readers will also note that the letter is unsigned and features nothing more than the words "Attorney at law" where a signature (and the name of the attorney) would normally be found.

When this failed to result in the removal of the signs, the remodeler approached the city of Milford, which obligingly circumvented its own statutes in order to yank the house's zoning approval, citing supposed violations from 2003 and 2004. The city also apparently tried to give itself instant, perpetual access to the house (ostensibly to check for further code violations) for as long as she remained living there. The city basically told her it wouldn't issue zoning approval until her signs came down, using the alleged violations -- which fell outside the city code's own six-year statute of limitations -- as leverage. Kristen's mother moved out of her own house in 2011 rather than continue battling Baybrook Remodelers and the city of Milford.

Ken Carney’s lawyer has requested and been granted 15 extensions of time. On one occasion, he went 7 consecutive months without doing what was necessary to keep his case alive, and on another occasion he went another 4 consecutive months without moving his case forward. His lawyer has had 5 chances to rewrite his lawsuit to try to fix whatever was wrong with it.

Finally, the case has a trial date. This was pushed by my lawyer, not Ken Carney’s. Based on their actions so far, Ken Carney and his lawyer would have been happy to let this go another 2½ years.

Here's a look at the docket, which is filled with little else other than the plaintiff's extension requests. As Kristen notes, a trial is forthcoming, with jury selection beginning in March. This is what Baybrook's been avoiding. Obviously, it hoped its threats would be enough to quell the criticism. That has backfired and now the company is in the awkward position of having to explain itself to a jury. This isn't the only case Baybrook is dragging its heels on. Another Tort case filed by Baybrook Remodelers in 2010 is still ongoing, with numerous extensions having been filed here as well. A motion for summary judgement has been filed by the defendant who is obviously hoping to finally have this seemingly endless suit tossed.

Kristen's site contains even more details of Baybrook's shady behavior. She noticed that shortly after she posted her negative review detailing the 40+ lawsuits the company was involved in (Dec. 6, 2010), a flood of Baybrook's "admirers" took to these same sites to post glowing reviews of the company. Most of the reviews were posted Dec. 15-17, which either means the company was posting its own reviews or had just wrapped up a ton of contracts for deliriously happy customers. Some reviews even copy-pasted wording from positive reviews written years earlier. Other identically-worded reviews surfaced under different names in January of 2011. One was even posted on Baybrook's website using yet another name.

But the most damning indicator of the company's negative reputation is the 40 pages of complaints filed with the Connecticut Department of Consumer Protection. The complaints detail a variety of issues with Baybrook Remodelers, including its tendency to do shoddy work and leave cleanup and damage repairs to the client. Other complaints point out how reluctant the company is to engage with dissatisfied customers ("owner won't answer his phone").

Additionally, the letter contains no specifics about what Daly (and his client) believe is "defamatory." It just vaguely claims that the sites are and expects Dreamhost to roll over and shut Kristen's sites down. Considering it's been eight days since the takedown demand, it would appear Dreamhost isn't falling for Baybrook Remodeler's vague claims of defamation. (As Ken White at Popehat often states, vagueness in legal threats is the hallmark of meritless thuggery.)

Kristen has admirably stood up to a meritless thug, one that will soon have a chance to explain its tactics to a judge and jury. It will be hard-pressed to point out exactly where Kristen has crossed the defamatory line and will hopefully be made to answer for its endless court delays and nearly three years of harassment.

from the your-periodic-friendly-reminder-that-Apple-will-tell-YOU-what-you-like dept

Apple is still one of the most desirable brands in the world, no doubt largely due to the company's fierce protection of that brand. In addition to periodic bouts of trademark bullying, it has also displayed an alarming antipathy towards developers who stray over the boundaries of what it considers to be acceptable.

Its tight control over the content of apps offered on its platform is notorious. Some see this as nothing more than excessively good quality control. Others see it as something far more arbitrary -- apps removed simply because someone at Apple didn't like them.

A website that helped users locate Apple stores with iPhones and iPads available for sale has shut down its service after being hit with a notice alleging that it violated Apple.com's terms of service.

Apple-Tracker.com and iphone-check.herokuapp.com examined publicly available inventory information from Apple.com and tried to make it easier for people to navigate. The service gained some attention, with articles in the Los Angeles Times and other news sites.

The site now shows a message from developer Mordy Tikotzky saying, "I've decided to turn off the site. I'm not doing this because I want to, but rather because I received a DMCA takedown notice from Apple. I'm not really interested in picking a fight with apple so..... I guess it time to just say good bye." On Twitter, Tikotzky wrote, "It might be legal but I don't have the resources to fight with Apple."

First, just for clarification, what Tikotzky received was not a DMCA notice. It's simply a "takedown notice" issued by Apple's legal team asking him to take down his site.

But why would Apple take his site down? Its sole purpose was to help potential customers find the exact phone or tablet they were looking for by aggregating item availability from all the stores in a certain zip code. Yes, Apple's own site contains a search function but it doesn't do what Tikotzky's site did. Apple will allow you to search for one item (16Gb iPad Air) and list stores where it's available. Tikotzky's apple-tracker did this better. It provided a table of all available models and lit up with an easy-to-see green if it was available at a certain store.

To achieve this using Apple's site, a person would have to run multiple searches and keep track of which one had what models. Titkotzky's automated this -- which is likely what Apple determined to be a violation of its TOS. Here's the relevant part of the TOS as quoted in the takedown letter.

Your Use of the Site. You may not use any “deep-link”, “page-scrape”, “robot”, “spider” or other automatic device, program, algorithm or methodology, or any similar or equivalent manual process, to access, acquire, copy or monitor any portion of the Site or any Content, or in any way reproduce or circumvent the navigational structure or presentation of the Site or any Content, to obtain or attempt to obtain any materials, documents or information through any means not purposely made available through the Site. Apple reserves the right to bar any such activity.

Apple doesn't want you to do much with its site. And this very restrictive wording is what turns handy tools into "violations" and "circumventing the navigational structure" into an unacceptable situation, according to Apple. (Not only that, but if so inclined, someone could probably push for charges under the CFAA, which views this sort of "circumvention" as a crime.)

All this does is maintain the status quo. Do not screw with Apple's stuff. If it wanted a handy aggregation tool, it presumably would have built it itself and covered it in tastefully rounded corners and pleasing color gradients. Tikotzky's tracker may have increased sales, but it ultimately doesn't matter, not when there's turf to protect.

People are constantly searching for ways to improve the services they use, but they're running head on into companies like Apple and Craigslist who take the stance that the customer will get what's provided by the company, instead of what they actually want. It's unfortunate, but for some, protecting the brand is more important than serving those purchasing their products.